Re: [Shutup] [ietf-smtp] Levels of proposals

Chris Lewis <> Fri, 04 December 2015 22:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B48CE1AC3DF; Fri, 4 Dec 2015 14:19:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 4.064
X-Spam-Level: ****
X-Spam-Status: No, score=4.064 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, MISSING_HEADERS=1.021, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lUzQ4YaIqeGd; Fri, 4 Dec 2015 14:19:11 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D24BB1AC3D8; Fri, 4 Dec 2015 14:19:10 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4MJ7V6023680 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 17:19:08 -0500
References: <> <> <> <> <> <> <>
From: Chris Lewis <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Fri, 4 Dec 2015 17:19:07 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090812 Thunderbird/ Mnenhy/
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 22:19:11 -0000

On 12/04/2015 02:18 PM, Ned Freed wrote:

> We're also getting reports of activities that look like attempts to trick
> MTAs into relay through the use of oddball address formats, some legal,
> some not. Not sure if this is what you're seeing or not.

What you're describing sounds like old-school open relay trickery. 
Indeed, what you could be seeing is decade or older open relay testers 
being used to scan for "buggy" open relay prevention.

What I'm seeing isn't that at all.  What I see is more like "for 
everybody I want to spam (address A), pick another address (address B), 
connect to address B's MX, forge the email to be From: address B, and 
attempt to get B's MX to relay to address A".

However, it's possible that what I'm seeing would shift gears to more 
obvious trickery if the first attempt failed.  It you see the same IP 
hitting more normal relay rejects before trying the oddball addresses, 
it could be.

If you sent me a log record or received string[s] (off-forum please) I 
can probably tell for sure.